1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 14A9E721
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 06:58:24 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com
[209.85.215.50])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4643D126
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 06:58:23 +0000 (UTC)
Received: by mail-lf0-f50.google.com with SMTP id l188so26617055lfe.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 28 Jun 2016 23:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc; bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=;
b=QuKw+ccJNWtMYy3QOLL4Jl4rZ1rj8d6Z//xbCuCMpGivVLMduuFwp1/rgSRdnQ36Z0
zHSQ6KklfK6xsQWso/h9VPq0wCpS4tzRke5GXsKl++8QBpRpyJLJGgiI3fBX3A3pA3yX
aQ9XulCWK5FuzTLc+hhA7XpeGfChtLUdO8tOcSt0acDEJh+d2ZX1MF/PbVtPUmMahnef
ZM03cnYJNWGx9Ll9VXwuU2+qxmbTbGcB9ab9/YzZ1dFOVqnZfTX3vGscBi3CIhkAAj3/
28kZCXgdXDxKH4VleJkpfI+cQRdoYI00bvR4LvjhHH2d1l/P3nhc97+NNzKLDAgrgMCO
/sfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:date
:message-id:subject:from:to:cc;
bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=;
b=gTQ0CUKHEFOo/2DhjHdeC4aLIk5y90OB7BR48Xqy4QfXf5d0jXAGyrcOVI+Ht22vZs
I9OOh0j0ihaphAlMpCs2EEPNoE9sbInOJIDweLWvn2bfuxT4XFM5GtzukCVeoX7l9n3a
Ri6yZrMf1qhY7KohNUPLvBGXS5BZ6vJuk9vjQ3QRSGa/W/EqPMOCE7teC5EBpRkKwvX+
Fo7+dADNDLBp2VfrKe6B5JoDASjSRcVYOPZ9P8Ss6eTIyjqVoHThKcrwEvW4XhuK4/k3
iixYqanEwFtN21oqxYrdq3UvJB/s4aip7m9jRc03VDmdjCAsmvCUzdCD27laC8wmPBCA
roGg==
X-Gm-Message-State: ALyK8tKnpJLEdz7SLRCvipNdE/zYuH7txyQRviXUNCuUXMTlK7Bj1Rc96mBF9CXrIjNkpFAW2KCl7VLHpiXt/Q==
MIME-Version: 1.0
X-Received: by 10.46.71.83 with SMTP id u80mr1736071lja.15.1467183501243; Tue,
28 Jun 2016 23:58:21 -0700 (PDT)
Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT)
Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT)
In-Reply-To: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
References: <87h9cecad5.fsf@rustcorp.com.au>
<577224E8.6070307@jonasschnelli.ch>
<8760ssdd1u.fsf@rustcorp.com.au>
<CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
Date: Wed, 29 Jun 2016 08:58:21 +0200
Message-ID: <CAPg+sBj3QRGYUzJn96ZS4bf1ZEH9KTwF+OxPXE-O_YJA66grBg@mail.gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
To: Ethan Heilman <eth3rs@gmail.com>,
Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a11402fa4697c6305366547fb
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 06:58:24 -0000
--001a11402fa4697c6305366547fb
Content-Type: text/plain; charset=UTF-8
On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just
SHA256(key|cipher-type|mesg). But that's probably just my crypto
ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
This property does technically not apply here, as the output of the hash is
kept secret, and the possible messages are constants (which are presumably
chosen in such a way that one is never an extension of another).
However, this is a good example of why you can't generically use a hash
function in places where you want a MAC (aka "a hash with a shared
secret"). Furthermore, if you already have a hash function anyway, HMAC is
very easy construct on top of it.
--
Pieter
--001a11402fa4697c6305366547fb
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev&q=
uot; <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-d=
ev@lists.linuxfoundation.org</a>> wrote:<br>
><br>
> >It's also not clear to me why the HMAC, vs just SHA256(key|cip=
her-type|mesg).=C2=A0 But that's probably just my crypto ignorance...<b=
r>
><br>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of<b=
r>
> the length extension property of SHA256.</p>
<p dir=3D"ltr">This property does technically not apply here, as the output=
of the hash is kept secret, and the possible messages are constants (which=
are presumably chosen in such a way that one is never an extension of anot=
her).</p>
<p dir=3D"ltr">However, this is a good example of why you can't generic=
ally use a hash function in places where you want a MAC (aka "a hash w=
ith a shared secret"). Furthermore, if you already have a hash functio=
n anyway, HMAC is very easy construct on top of it.</p>
<p dir=3D"ltr">-- <br>
Pieter<br>
</p>
--001a11402fa4697c6305366547fb--
|